Vail Valley Medical Center (VVMC) is in the process of notifying 3,118 patients of the inappropriate disclosure of some of their protected health information (PHI).

A physical therapist formerly employed at Howard Head Sports Medicine was discovered to have copied the PHI of patients and taken the data to his new employer. Prior to leaving employment, the physical therapist downloaded patient PHI onto a USB drive on two separate occasions.

VVMC discovered the former employee’s HIPAA violations on February 16, 2016. An internal investigation revealed that the physical therapist had inappropriately accessed patient PHI and copied data on December 1, and December 30, 2015.

Patients affected by the breach had previously attended the Vail Valley Medical Center or Howard Head Sports Medicine for treatment. VVMC contacted the former employee and requested the return of the stolen data and portable storage devices. Those devices have now been recovered and certification has been obtained confirming that no data have been retained, and copies have been securely destroyed. The Office for Civil Rights and law enforcement have been notified of the HIPAA violation and privacy breach. VVMC has advised patients to exercise caution and to check Explanation of Benefits statements for any sign of fraudulent activity.

This type of HIPAA breach is not uncommon. When healthcare workers leave their employer and go to work for another healthcare provider many are tempted to take patient data with them. While it is difficult to prevent the theft of PHI, healthcare organizations can take a number of steps to reduce the risk of this happening and to ensure that any unauthorized copying of data is rapidly identified.

In an effort to prevent this type of privacy breach from occurring in the future, VVMC has implemented tools that prevent the copying of patient data to portable storage devices and new controls are being developed that will make it easier for staff to monitor for inappropriate accessing of health records by employees. VVMC has also appointed a new member of staff to act as Health Information Manager. The main responsibilities of new role are to strengthen security controls and ensure that patient information is properly safeguarded. Further training has also been provided to staff members on HIPAA Rules and policies and procedures are being updated.

About HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines. HIPAA Journal's goal is to assist HIPAA-covered entities achieve and maintain compliance with state and federal regulations governing the use, storage and disclosure of PHI and PII.